xfs_repair: don't crash if da btree is corrupt

In the recursive verify_da_path call chain, we decide to examine the
next upper level if the current entry points past the end of the
entries.  However, we don't check for a node with zero entries (which
should be impossible) so we run right off the end of the da cursor's
level array and crash.  Found by fuzzing hdr.count in xfs/402.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>

diff --git a/repair/da_util.c b/repair/da_util.c
index a65652fa9798436ae7214f21ad5c552fb4e37648..bca4060d1a698e4c9b18dd0bf9a637e36b6fb720 100644 (file)
--- a/repair/da_util.c
+++ b/repair/da_util.c
@@ -526,6 +526,10 @@ verify_da_path(
        else
                geo = mp->m_attr_geo;
 
+       /* No buffer at this level, tree is corrupt. */
+       if (cursor->level[this_level].bp == NULL)
+               return 1;
+
        /*
         * index is currently set to point to the entry that
         * should be processed now in this level.
@@ -535,6 +539,10 @@ verify_da_path(
        btree = M_DIROPS(mp)->node_tree_p(node);
        M_DIROPS(mp)->node_hdr_from_disk(&nodehdr, node);
 
+       /* No entries in this node?  Tree is corrupt. */
+       if (nodehdr.count == 0)
+               return 1;
+
        /*
         * if this block is out of entries, validate this
         * block and move on to the next block.